SMB Security: 5 Bright Ideas

Adam Hansen is that rare bird in the small to midsize business (SMB) realm: He is a CSO. Hansen heads up security for Sonnenschein, Nath and Rosenthal, an 800-attorney law firm in Chicago.

Slideshow: 10 breakthroughs in IT security

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Adam Hansen is that rare bird in the small to midsize business (SMB) realm: He is a CSO. Hansen heads up security for Sonnenschein, Nath and Rosenthal, an 800-attorney law firm in Chicago.

Slideshow: 10 breakthroughs in IT security

Granted, Hansen's employer sits on the higher end of the SMB size spectrum, but it is still relatively uncommon for companies with revenues under $500 million to have a person devoted to security. Hansen is rarer yet in that he leads a staff of six security professionals, who handle all aspects of physical and information security for the firm, which has 16 offices. "I've been lucky here," he says. Many companies of comparable size don't have anyone who takes a global view of security.

When it comes to information security, most IT people at SMBs tend to be generalists rather than specialists like the ones at Sonnenschein. "They put in a new disk farm yesterday, today they're doing a website, tomorrow they will do something with security," says Darrell Rodenbaugh, senior VP of the midmarket segment for McAfee Security, a security software vendor in Santa Clara, Calif.

McAfee surveys its vast SMB user population frequently to discern their security practices and habits. "Most spend less than an hour a week proactively managing security," says Rodenbaugh. According to the most recent McAfee survey, most SMB respondents did not believe they are a likely target of cybercrime. "They don't think they are well enough known, but nothing could be further from the truth."

SMBs are still in security catch-up mode compared with large enterprises, according to Adam Hils, principal research analyst for the Atlanta office of Gartner. But catching up they are. One sign of maturity: SMBs are now more likely to have formal, written security policies, at least in the area of IT, according to a recent Gartner survey (see, "SMB IT Security Spending Habits," Page 27). About 47 percent of Gartner SMB survey participants have developed and adopted a formal security policy. And about 30 percent more plan to develop one this year.

That has been a big trend in the last year or so, according to Hils. Regulatory compliance is a major driver to formalize policies on the information security side, especially for retail companies that are within the purview of PCI DSS, the Payment Card Industry Data Security Standard. (See A Tale of Two PCI Audits for more details.) Even for companies that are not big enough to be covered by government regulations, they'll have to comply if they work with larger partners who do.

"Most companies of this size don't take a closer look at security unless they have to for some reason," says Corey Thomas, vice president of marketing and product management for Rapid7, a Boston-based consulting firm. After adopting the basic level of protection, they are often tempted to sit back.

That approach isn't good enough. "A frivolous lawsuit, a key theft or one cyberattack can cripple a small business immediately," says Charles Foley, CEO of TimeSight Systems, a video surveillance vendor in Mount Laurel, N.J. Since resources are short, though, whatever security measures SMBs do take need to be cost-effective and easy to implement.